MASTG-TEST-0282: Unsafe Custom Trust Evaluation
Overview¶
This test evaluates whether an Android app uses checkServerTrusted(...) in an unsafe manner as part of a custom TrustManager, causing any connection configured to use that TrustManager to skip certificate validation.
Such unsafe implementations can allow an attacker to run a MITM attack with a valid (or self-signed) certificate and intercept or tamper with the app's traffic.
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Run a static analysis ( Static Analysis on Android) tool for the app and look for all usages of
checkServerTrusted(...).
Observation¶
The output contains a list of locations where checkServerTrusted(...) is used.
Evaluation¶
The test fails if checkServerTrusted(...) is implemented in a custom X509TrustManager and does not properly validate server certificates.
This includes cases such as:
- **Using
checkServerTrusted(...)which is error prone, when NSC would be enough. - Trust manager that does nothing: overriding
checkServerTrusted(...)to accept all certificates without any validation, for example by returning immediately without verifying the certificate chain or by always returningtrue. - Ignoring errors: failing to throw proper exceptions (e.g.
CertificateExceptionorIllegalArgumentException) on validation failure, or catching and suppressing them. - Using
checkValidity()instead of full validation: relying only oncheckValidity()checks whether the certificate is expired or not yet valid, but does not verify trust or hostname matching. - Explicitly loosening trust: disabling trust checks to accept self-signed or untrusted certificates for convenience during development or testing.
- Misusing
getAcceptedIssuers(): Returningnullor an empty array without proper handling may effectively disable issuer validation.
When testing using automated tools, you will need to inspect all the reported locations in the reverse-engineered code to confirm the incorrect implementation ( Reviewing Decompiled Java Code).